Enc-DNS-HTTP: Utilising DNS Infrastructure to Secure Web Browsing

Online information security is a major concern for both users and companies, since data transferred via the Internet is becoming increasingly sensitive. The World Wide Web uses Hypertext Transfer Protocol (HTTP) to transfer information and Secure Sockets Layer (SSL) to secure the connection between clients and servers. However, Hypertext Transfer Protocol Secure (HTTPS) is vulnerable to attacks that threaten the privacy of information sent between clients and servers. In this paper, we propose Enc-DNS-HTTP for securing client requests, protecting server responses, and withstanding HTTPS attacks. Enc-DNS-HTTP is based on the distribution of a web server public key, which is transferred via a secure communication between client and a Domain Name System (DNS) server. This key is used to encrypt client-server communication. The scheme is implemented in the C programming language and tested on a Linux platform. In comparison with Apache HTTPS, this scheme is shown to have more effective resistance to attacks and improved performance since it does not involve a high number of time-consuming operations.

[1]  K. W. Cheung,et al.  HTTPSLock: Enforcing HTTPS in Unmodified Browsers with Cached Javascript , 2010, 2010 Fourth International Conference on Network and System Security.

[2]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[3]  Cédric Fournet,et al.  Verified Cryptographic Implementations for TLS , 2012, TSEC.

[4]  Erich M. Nahum,et al.  Cryptographic strength of ssl/tls servers: current and recent practices , 2007, IMC '07.

[5]  Tarek S. Sobh,et al.  Design of an enhancement for SSL/TLS protocols , 2006, Comput. Secur..

[6]  B Sugavanesh,et al.  SHS-HTTPS enforcer: enforcing HTTPS and preventing MITM attacks , 2013, SOEN.

[7]  Gene Tsudik,et al.  Improving secure server performance by re-balancing SSL/TLS handshakes , 2006, ASIACCS '06.

[8]  Takamichi Saito,et al.  Authentication Binding between TLS and HTTP , 2008, NBiS.

[9]  Phillip M. Hallam-Baker,et al.  DNS Certification Authority Authorization (CAA) Resource Record , 2019, RFC.

[10]  Somnuk Puangpronpitag,et al.  Simple and Lightweight HTTPS Enforcement to Protect against SSL Striping Attack , 2012, 2012 Fourth International Conference on Computational Intelligence, Communication Systems and Networks.

[11]  Dieter Gollmann Secure Applications without Secure Infrastructures , 2010, MMM-ACNS.

[12]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[13]  Mehran S. Fallah A Puzzle-Based Defense Strategy Against Flooding Attacks Using Game Theory , 2010, IEEE Transactions on Dependable and Secure Computing.

[14]  Marco Ramilli,et al.  A Browser-Based Distributed System for the Detection of HTTPS Stripping Attacks against Web Pages , 2012, SEC.

[15]  Antonio Lioy,et al.  On the Robustness of Applications Based on the SSL and TLS Security Protocols , 2007, EuroPKI.

[16]  Amir Herzberg,et al.  Less is more: cipher-suite negotiation for DNSSEC , 2014, ACSAC '14.

[17]  Kevin R. B. Butler,et al.  Securing SSL Certificate Verification through Dynamic Linking , 2014, CCS.

[18]  Meng Gao,et al.  Analysis and Research on HTTPS Hijacking Attacks , 2010, 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing.

[19]  Aiko Pras,et al.  DNSSEC and its potential for DDoS attacks: a comprehensive measurement study , 2014, Internet Measurement Conference.

[20]  P. Saxena,et al.  Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning , 2015, Comput. Secur..

[21]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[22]  Jiang Du,et al.  Design and Implementation of Security Reverse Data Proxy Server Based on SSL , 2011 .

[23]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[24]  Nur Izura Udzir,et al.  Extending TLS with Mutual Attestation for Platform Integrity Assurance , 2014, J. Commun..

[25]  K. W. Cheung,et al.  SSLock: sustaining the trust on entities brought by SSL , 2010, ASIACCS '10.

[26]  Johann Großschädl,et al.  Performance and Security Aspects of Client-Side SSL/TLS Processing on Mobile Devices , 2010, CANS.

[27]  Amir Herzberg,et al.  Security and identification indicators for browsers against spoofing and phishing attacks , 2008, TOIT.

[28]  Paul E. Hoffman,et al.  The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[29]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[30]  Daniel Massey,et al.  Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC , 2011, IEEE Transactions on Dependable and Secure Computing.

[31]  Hervé Debar,et al.  One year of SSL internet measurement , 2012, ACSAC '12.

[32]  Xinghui Li,et al.  A Study of Man-in-the-Middle Attack Based on SSL Certificate Interaction , 2011, 2011 First International Conference on Instrumentation, Measurement, Computer, Communication and Control.

[33]  Abeer E. W. Eldewahi,et al.  SSL/TLS attacks: Analysis and evaluation , 2015, 2015 International Conference on Computing, Control, Networking, Electronics and Embedded Systems Engineering (ICCNEEE).

[34]  Hao Wu,et al.  Kalman filter based DNS cache poisoning attack detection , 2015, 2015 IEEE International Conference on Automation Science and Engineering (CASE).

[35]  Craig A. Shue,et al.  Resolvers Revealed: Characterizing DNS Resolvers and their Clients , 2013, TOIT.